mirror of
https://github.com/splunk/security_content.git
synced 2026-05-31 14:53:33 +00:00
Page:
5.2 ‐ Detection Types and Status
Pages
1. Home
2. Installation and Usage
3. Content Structure and Versioning
3.1 ‐ Security Content Code
4. Developing ESCU Content
4.1 ‐ Contributing to the Project
4.2 ‐ Customize to Your Environment
5.1 ‐ Detection Naming Convention
5.2 ‐ Detection Types and Status
5.3 ‐ ESCU ‐ savedsearch.conf spec
5.4 ‐ Deprecated Detections
6.1 ‐ How are risk score calculated for RBA
7 ‐ Code of Conduct
No results
Table of Contents
This file contains ambiguous Unicode characters
This file contains Unicode characters that might be confused with other characters. If you think that this is intentional, you can safely ignore this warning. Use the Escape button to reveal them.
Splunk Security Content detections has a field called type these types will drive workflow in the future on the product, below are the current proposed types:
See https://car.mitre.org/Glossary for inspiration.
Type
| Type | Description | Example |
|---|---|---|
| TTP | A TTP analytic is designed to detect a certain adversary tactic, technique or procedure. | Attempted Credential Dump From Registry via Reg exe |
| Baseline | A posture analytic is designed to help in the maintenance of the analytic or create a baseline of data for detections to leverage. | Baseline Of Cloud Instances Launched |
| Anomaly | An anomaly analytic triggers on behavior that is not normally observed. Anomalous may not be explicitly malicious but may be suspect. For example, detection of executables that have never been run before or a process using the network which does not normally use the network. Like Situational Awareness analytics, anomaly analytics don’t necessarily indicate an attack. | Abnormally High Number Of Cloud Infrastructure API Calls |
| Hunting | A detection that increases the risk of an asset or entity, although tends to be too noisy to generate a notable event by itself. It leverages aggregated risk from various other detections to produce a notable. Also known as hunting queries. | Common Ransomware Extensions |
| Correlation | An analytic that correlates various detection results to correlate a high level threat and its primary purpose is to generate a notable. | Windows Post Exploitation Risk Behavior |
Detection Configurations
Below is a table showing how each type is configured out of the box in ESCU.
| Analytic Type | Generates Notable | Increases Risk (RBA) | Triggers Playbook | Tied to a Dashboard | Runs on CRON Schedule | Enabled OOB |
|---|---|---|---|---|---|---|
| Hunting | No | No | No | No | No | No |
| TTP | Yes | Yes | Yes | No | Yes | No |
| Baseline | No | No | No | No | Yes | No |
| Anomaly | No | Yes | No | No | Yes | No |
| Correlation | Yes | No | No | No | Yes | No |
Status
| Status | Explanation |
|---|---|
| Production | These are fully-tested detections in Splunk Enterprise Security environment with latest Splunk TAs installed against the associated attack data |
| Experimental | These detections DO NOT have an associated attack data because we were either not able to simulate the attack or that the attack data contains sensitive information that we were not able to publish to our attack data repository |
| Deprecated | These detections are deprecated and no longer supported or maintained by Splunk. Usually, the description of a deprecated detections have a note regarding why the said detection is deprecated and if there is a replacement detection available |